The Russian Mastermind Behind Backdoor.Proxybox

For the past three months we have been investigating a Russian attacker serving malware to hundreds of thousands of users per year. The malware is Backdoor.Proxybox, and our investigation has revealed an entire black hat operation, giving us interesting information on the operation and size of this botnet, and leading us to information that may identify the actual malware author.

Proxy services are nothing new. They are used to provide access to geographically locked content or to relay traffic for anonymity. The proxy reseller at proxybox.name sells access to proxy servers across the globe. From their front-end website, it appears as if they are a legitimate Russian proxy service, providing access to their entire list of thousands of proxies for only $40 a month. How can they provide access to so many servers for so little cash?
 

Figure 1. Proxybox main website (translated from Russian)
 

Threat components

The investigation began with the reverse engineering of the Backdoor.Proxybox malware. It is a threat we first identified in early 2010 and our analysis has shown increased recent activity. The threat is comprised of three components:

  1. Dropper
  2. Payload
  3. Rootkit

The dropper installs the payload as a service on the computer, copying the payload executable to the system and installing the rootkit. The rootkit attempts to protect the malicious payload and all other files associated with the threat to increase the threat's persistence. The rootkit implements a novel method to avoid device-stack file scanning. The payload itself is a DLL, which is executed when the computer starts and acts as a low-level proxy service that enters the compromised computer into a large botnet used for funneling traffic.
 

Threat analysis

When the computer starts, the payload contacts a hard-coded server address and requests a set of PHP pages to configure itself, set up backup command servers, test connection speed, and set up client authentication. The command server provides a list of peer servers to use as backups, runs a speed check on the compromised computer, and assigns a password for proxy authentication. Analysis of the command server also revealed several public PHP pages providing statistics on the botnet, as well as database credentials.
 

Figure 2. Botnet statistics from the command-and-control server
 

Figure 3. Command server database credentials
 

Command-and-control server monitoring over the last few months has suggested that the botnet controller tries to keep the size around 40,000 active users online at any time. The controller has used several mediums for distribution, including Blackhole Web exploits. Interestingly, each command server also provided the botnet client with a backup server with a URL of [http://]proxybox.name. This is actually the front-end website (Figure 1), used to sell access to the botnet. This URL was found in advertisements in underground forums such as Antichat.ru, a Russian forum for transactions involving shell and exploit scripts, proxy and VPN services, malware installs, and other disreputable services.
 

Figure 4. Antichat.ru advertisement of Proxybox.name service (translated from Russian)
 

Hacker identity

The advertisements by this user provide a link between four dubious websites, all authored by the same individual: an entrepreneurial Russian hacker. These websites all revolve around proxies and malware distribution. One website provides proxy access (proxybox.name), another provides VPN services (vpnlab.ru), one provides private antivirus scanning (avcheck.ru), and one provides proxy testing services (whoer.net). These four sites are also connected by static cross-linking advertisements. The author of these websites provides the same ICQ support number to the users of the Web services. Several of these websites offer services for money and the payment gateways used are always the same: WebMoney, Liberty Reserve, and RoboKassa.
 

Figure 5. Vpnlab.ru main page (translated from Russian)
 

We started to look into the payment accounts associated with these websites, and found out that they were tied to an individual with a Ukrainian name living in Russia. The additional details associated with this WebMoney account are undisclosed as we work with law enforcement in countries associated with the command-and-control servers.